[Chugalug] OT: Favorite Enterprise Firewalls?
lists at masterforge.com
Thu Apr 18 13:24:21 UTC 2013
On 04/17/2013 10:50 PM, Dave Brockman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 4/17/2013 4:42 PM, Jason Brown wrote:
>> On 04/17/2013 10:42 AM, Dave Brockman wrote:
>>> to buy that second $20k, $40k, $80k unit however. And often
>>> "support" with firewalls is not actually support, but
>>> subscriptions to their Anti-virus signatures, Anti-SPAM
>>> signatures, IPS/IDS signatures, botnet traffic filter licenses,
>>> etc etc etc. Did you see support in that list? Me neither.
>> Yep, support is in that list, from the linked page: A support
>> subscription provides you with 24x7x365 direct access to the
>> pfSense team with guaranteed response time for all your
> I was actually referring to the "Enterprise" competitors there....
Gotcha, I really should send them some money. We have submitted
patches and fixes to them though (only small ones).
>>> A much wiser man than myself once told me this: "I can decrease
>>> your downtime directly proportional to the size of your wallet,
>>> it's up to you and your wallet to determine how much downtime you
>>> can actually afford."
>> This is ABSOLUTELY true! But in my opinion the approach to
>> infrastructure design is much more important than the vendor /
>> hardware. If you are going for more than "three nines" then every
>> part of the infrastructure should be redundant. If that means that
>> it costs less for one, you can buy two, or four.
> We are in agreement here.
>>>> For those people that want it, pfSense also provides the 24/7
>>>> support at a reasonable price. I have not used it personally.
> More than one of us on this list [can|have|do] provide support for
> pfsense as well. Same holds true for Cisco as well though :)
>> Agreed, sometimes there are shortcomings. I wasn't aware that
>> connecting overlapping subnets was possible (reliably) with any
>> product? Perhaps I am misunderstanding?
> Cisco kit has done it for ... at least 15 years. And I mean
> connecting overlapping subnets on both ends of a L2L VPN, yes...
> 10.0.0.0/24|SiteA <---------> SiteB| 10.0.0.0/24
> You "NAT before IPsec" to overcome this, so from SiteA network, you
> access 10.0.1.0/24, and your device NATs this to 10.0.0.0/24 on the
> other end of that particular tunnel, and does the reverse for traffic
> coming from the other direction. You also have to overcome it on the
> other side, so you have to do the same, although you are free to
> choose any network you like....
> Yes, it works... but not on BSD.
I see, but a SiteA IP of 10.0.0.10 still would not be able to reach a
SiteB IP of 10.0.0.10 would it? If it can, I've got some reading and
testing to do.
>> I've typically separated VPN services anyway, not leaving those up
>> to the firewall at all (Unless it is site to site).
> I do not know if this is possible for a RA VPN, I've found keeping
> office networks off 192.168.0.0/22, 192.168.100.0/22, 192.168.254.0/24
> and 10.0.0.0/24 will take care of the home users 99.9% of the time.
> Otherwise, we renumber something.
>> I'm particularly interested in the UDP AD traffic issue, I have
>> not heard of that particular issue.
> My Google-Fu is failing me, so it's either been fixed since 2.0, or I
> am mis-remembering some detail. It involved a remote XP workstation,
> AD at HQ, and some type of AD related UDP traffic that could be
> reghacked to use TCP. I didn't work the issue in depth, although I
> did locate the definitive issue at the time. I will inquire with the
> coworker who was more deeply involved and circle back to you on this.
Yeah, let me know if you find anything. We deal with AD federated sign
on for some clients and if an issue crops up this is now in my "check on
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> -----END PGP SIGNATURE-----
> Chugalug mailing list
> Chugalug at chugalug.org
More information about the Chugalug